Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3087
Views
0
Helpful
5
Replies

ISE without RADIUS Accounting

Go to solution
rvacher
Cisco Employee
Cisco Employee

‎04-03-2018 10:28 AM

Hi all,

I am working on a project where the customer does not want to activate RADIUS Accounting because he just want to use ISE to authenticate, he's not even caring about not having accurate information about the session. I have searched all the different discussions about that and i understand that it is recommended in almost every case (Session ID for redirection, posture, accurate tracking of sessions)

But in that case they do not want, not negociable. We have done the POV they are happy with and want to buy Base license.

Now they are asking how should they count the license if Radius Accounting is not activated. I tested it in my lab, if there an authentication then there is a session that will stay here for some time (because no RADIUS Acc Stop received). I have been told that it is about one hour if the machine authenticated without any RADIUS Acc Start. However, when I test I do not get the expected output (license is not released after an hour) :

•   Automatic Purge: A purge job runs approximately every 5 minutes to clear sessions that meet any of the following criterion:

    1. Endpoint disconnected (Ex: failed authentication) in the last 15 minutes (grace time allotted in case of authentication retries)

    2. Endpoint authenticated in last hour but no accounting start or update received

    3. Endpoint idle—no activity (authentication / accounting / posturing / profiling updates) in the last 5 days


Thanks

Rémi

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to rvacher

‎04-04-2018 08:52 AM

Per direct email communication, this configuration would not be recommended.  Yes, it will impact licensing as customer will likely have many more connected clients that should be licensed but not accountable in system.  It would also impact visibility as sessions that have been established will not be seen in ISE Live Logs/Session directory.  So yes, you will have someone at the front door checking people into the building, but never know if they are still in your building.  There are also cases where this can impact PSNs ability to manage sessions.  Few RADIUS platforms have such limitation, so it sounds like key issue is that customer does not deal with the needed access layer configuration.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
rvacher
Cisco Employee
Cisco Employee

‎04-03-2018 11:15 AM

So far it works technically speaking. I am just not so sure how the license is released, it does not seem to be after an hour.

What they say is that first they don't need accounting for their use-cases (they want to do on ISE what they could do on a Free Radius, basic authentication).Apparently it is not easy for them to configure it on all their equipment and it is outsourced so it is even more complicated. They are not even caring that the accuracy of the logs will be not good.

Here it says that the purge works as follow

"    2. Endpoint authenticated in last hour but no accounting start or update received

    * Note: Session is cleared from MnT but does not generate CoA to prevent negative impact to connected endpoints.  In other words, MnT session is no longer visible but it is possible for endpoint to still have network access, but no longer consumes license.
"

So the license should be released after an hour or so and the device still authenticated which means that basically number of Base license should be the number of authentication during an hour.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to rvacher

‎04-04-2018 08:52 AM

Per direct email communication, this configuration would not be recommended.  Yes, it will impact licensing as customer will likely have many more connected clients that should be licensed but not accountable in system.  It would also impact visibility as sessions that have been established will not be seen in ISE Live Logs/Session directory.  So yes, you will have someone at the front door checking people into the building, but never know if they are still in your building.  There are also cases where this can impact PSNs ability to manage sessions.  Few RADIUS platforms have such limitation, so it sounds like key issue is that customer does not deal with the needed access layer configuration.

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7

‎06-21-2018 04:18 AM

We have a similar demand in a project. The RADIUS accounting messages should be sent to Check Point due to some necessary Identity Awareness workaround. Do you know if there is any further function loss or malfunction to expect if we use AnyConnect ISE posture too? So far we know about potential false live session number and false license consumption.

Our ASA is now set to send only

Authentication and

Authorize-only

RADIUS messages to ISE, but no accounting.

I haven't noticed any changes since I removed accounting configuration.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎06-21-2018 04:45 AM

I wouldn’t recommend it as it’s not tested and supported

Customer should work with checkpoint to integrate properly with PXgrid as they already do that in sorts

You can reach out to product management for an enhancement on radius accounting side as well

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎06-21-2018 05:07 AM

Google of ISE and checkpoint

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/at-a-glance-c45-736265.pdf

There is also information in the ISE deployment guides

https://communities.cisco.com/docs/DOC-64012

0 Helpful
Customers Also Viewed These Support Documents